Life Lesson learnt : the best things in life are free... and elegant 🙂 0 Karma Reply Solution gkanapathy Splunk Employee 07-04-2012 08:11 PM Seems to me you should dedup only after bucketing by _time. I don't know really what your data means, but...